Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ideas on a timechart with large volume

subtrakt
Contributor
‎06-16-2014 06:03 AM

Hi!
I have a timechart that run every ten minutes but the event volume is very high and sometimes the query won't complete in 10 minutes. The query is using an index also.

I'm open to any options. I just need to know percentage from about 6 different sources of traffic defined in a lookup "NAME" field.

Can timecharts rollover? I would think the chart could run a search once then constantly rollover into itself every 10 minutes instead of re-running the entire search again.

... | timechart span="2m" count by NAME

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-16-2014 04:37 PM

Check if you cannot optimize your lookup to happen after the timechart, instead of before. To avoid doing it for each event.

mysearch | bucket _time span=2m | stats count by fieldA _time | LOOKUP mylookup fieldA OUTPUT fieldB | timechart span=2m count by fieldB

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-16-2014 11:33 AM

That search looks very accelerate-able, try checking the Report Acceleration box.

0 Karma
Reply

subtrakt
Contributor
‎06-16-2014 08:08 AM

index=eAGG* sourcetype="AGG" SRC_CATEGORY="Aggregation" | timechart span="2m" count by SRC_NAME limit=12 useother=f

the scheduled search is set to delete saved search after 10 minutes because i figured it would fill up the splunk drive with tons of saved searches that are executed every 10 mins.

0 Karma
Reply

Ayn
Legend
‎06-16-2014 06:57 AM

This sounds like a good way to keep Splunk way too busy with rereading huge amounts of data over and over again. You should consider doing some kind of acceleration or summary indexing. Tell us more about your scenario, your data and your exact query and I'm sure we can come up with some good options.

0 Karma
Reply

subtrakt
Contributor
‎06-16-2014 06:29 AM

2 hour earliest search that is scheduled to run every 10 minutes.

0 Karma
Reply

MuS
Legend
‎06-16-2014 06:09 AM

I assume you only search the last 10 minutes if your run your timechart search at this interval? like:

you base search earliest=-10m | ...
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...